Pursuant to the Federal Trade Commission’s (“FTC”) Identity Theft Prevention Red Flags Rule (16 .C.F.R. § 681.2) which went into effect on January 1, 2008, all financial institutions and creditors must prepare and implement a written “Red Flags” Program by May 1, 2009. The determination of whether a business or organization is covered by the Red Flags Rule is not based on a particular industry or sector, but rather on whether the activities of the business or organization fall within the relevant definitions.
What Businesses are Covered?
“Financial institutions” are defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other person that, directly or indirectly, holds a transaction account belonging to a consumer.
The definition of “creditor” under the Red Flags Rule is broad and includes businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later. According to the FTC, this can include a wide variety of businesses from utility companies to health care providers.
Only financial institutions and creditors with “covered accounts” must implement a Red Flags Program. There are two types of “covered accounts”:
1. “Consumer accounts” which are those offered to customers primarily for personal, family, or household purposes that involves or is designed to permit multiple payments or transactions (e.g. credit card accounts, mortgage loans, automobile loans, cell phone accounts, and checking accounts); and
2. Any other account that a financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks. The FTC advises that in determining if accounts are covered under this second category, businesses should consider how they are opened and accessed. For example, there may be a reasonably foreseeable risk of identity theft in connection with business accounts that can be accessed remotely (e.g. through the Internet or by telephone).
Requirements for an Effective “Red Flags” Program.
Financial institutions and creditors must develop, implement, and administer an Identity Theft Prevention Program, which must include four basic elements.
1. Identification of Red Flags. The Program must include reasonable policies and procedures to identity the “red flags” of identity theft they are likely to come across in their business. “Red flags” are potential patterns, practices, or specific activities indicating the possibility of identity theft. Some examples are alerts or notices from credit reporting agencies, certain suspicious documents, suspicious personal identification information, and suspicious account activity. Some red flags may also be relevant to the particular business or organization.
2. Detect Red Flags. The Program must be designed to detect the “red flags” that have been identified. The financial institution or creditor must lay out procedures for detecting them in the day-to-day operation of the business. In creating the procedures, the business needs to consider how detection may differ depending on whether an identity verification is taking place in person or at a distance (e.g. by telephone, mail, Internet, etc.).
3. Prevention and Mitigation. The Program must spell out appropriate actions the financial institution or creditor will take when it detects “red flags.” The procedures for responding to a “red flag” will depend upon the degree of risk posed. A business must be mindful to accommodate and/or comply with other legal obligations (e.g. privacy laws and other laws impacting the medical profession) when taking action.
4. Continued Evaluation. The Program must be re-evaluated and updated periodically due to the ever-changing threats associated with identity theft. According to the FTC, as technology changes or identity thieves change their tactics, financial institutions and creditors will need to update their Programs to ensure they keep current with the risks.
Administering Your “Red Flags” Program.
1. Approval. Pursuant to the FTC, if a financial institution or creditor is a corporation, its Red Flags Programs must be approved by the Board of Directors or a committee of the Board. If the business is not a corporation, the Program must be approved by someone in a senior management position.
2. Administration. The financial institution or creditor must appoint a designated individual(s) to serve as the Administrator of the Program. The Administrator will be responsible for implementing the Program, training personnel on the Program, reviewing documents and information for compliance with the Program, re-evaluating and updating the Program, and reporting to the Board or senior management annually regarding the Program.
3. Training. The Rule requires that financial institutions and creditors train relevant staff on the policies and procedures under the Red Flags Program.
4. Third-Party Providers. If a financial institution or creditor contracts with other service providers and any activity by the service providers implicates the Red Flags Rule, they should seek confirmation that the service providers have an appropriate Red Flags Program in place.
Compliance with the Red Flags Rule is mandatory for all financial institutions and creditors with “covered accounts.” There is no one-size-fits-all Program and each business or organization should evaluate its “covered accounts” and the various activities or transactions related to those accounts that could give rise to identity theft.
Weintraub Genshlea Chediak Tobin & Tobin can provide assistance not only with the preparation of written Identity Theft Prevention (Red Flags) Programs, but also with training your employees under the Program. For more information or assistance please contact Lizbeth V. West, Esq. at (916) 558-6082.